Bug 1935102 - Error: specifying a root certificates file with the insecure flag is not allowed during oc login
Summary: Error: specifying a root certificates file with the insecure flag is not allo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.8
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.8.0
Assignee: Mike Dame
QA Contact: zhou ying
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-04 12:08 UTC by Praveen Kumar
Modified: 2021-07-27 22:51 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 22:51:10 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oc pull 757 0 None open Bug 1935102: Revert Avoid TLS cert checking when login with --insecure-skip-tls-verify=true 2021-03-05 18:23:35 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:51:41 UTC

Description Praveen Kumar 2021-03-04 12:08:02 UTC
Description of problem: Nightly version of oc client is error out when try to login to cluster using `--insecure-skip-tls-verify` option.

Version-Release number of selected component (if applicable):
$ oc version
Client Version: 4.8.0-0.nightly-2021-03-04-014703

How reproducible:
```

$ oc version --client
Client Version: 4.8.0-0.nightly-2021-03-04-014703

$ oc login  --insecure-skip-tls-verify -u kubeadmin -p xKoZo-BLF3h-eCdfE-EhQ8q https://api.crc.testing:6443
error: specifying a root certificates file with the insecure flag is not allowed


$ /usr/local/bin/oc version --client
Client Version: 4.6.17

$ /usr/local/bin/oc login  --insecure-skip-tls-verify -u kubeadmin -p xKoZo-BLF3h-eCdfE-EhQ8q https://api.crc.testing:6443
Login successful.

```

Actual results:
error: specifying a root certificates file with the insecure flag is not allowed

Expected results:
login should be successful.

Additional info:

Comment 1 Maciej Szulik 2021-03-05 11:35:25 UTC
Mike I wonder if that's related to your recent changes to how we treat --insecure-skip-tls-verify.

Comment 2 Mike Dame 2021-03-05 16:06:24 UTC
Yeah, that does look suspiciously like a regression

The error comes from k8s.io/client-go/transport/transport.go: https://github.com/openshift/oc/blob/f7835631278b03e4388f65145b56e1fd93bf4e37/vendor/k8s.io/client-go/transport/transport.go#L64-L66

That Insecure field is copied from the rest.Config object: https://github.com/openshift/oc/blob/f7835631278b03e4388f65145b56e1fd93bf4e37/vendor/k8s.io/client-go/rest/transport.go#L70

I think this is the field we tied the --insecure-skip-tls-verify flag to in https://github.com/openshift/oc/pull/746: https://github.com/damemi/oc/blob/2e4a10d26057354829acd2c47a848a39f188b198/pkg/cli/login/loginoptions.go#L137

So, it seems the fix we went with is not the right way to fix this, or it needs to be addressed upstream. This level of client/auth knowledge is a bit beyond my scope so I don't know the best way to address this. Though, I think we should revert the PR for now.

Comment 4 zhou ying 2021-03-08 08:02:22 UTC
Can't reproduce now : 
[root@localhost ~]# oc login --insecure-skip-tls-verify -u kubeadmin -p ieLYM-fKSif-aui2z-B4vx7   https://api.yinzhou8aws.qe.devcluster.openshift.com:6443
Login successful.

You have access to 62 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".
[root@localhost ~]# oc version 
Client Version: 4.8.0-202103080232.p0-f749845
Server Version: 4.8.0-0.nightly-2021-03-06-055252
Kubernetes Version: v1.20.0+aa519d9

Comment 7 errata-xmlrpc 2021-07-27 22:51:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.